What are the Policy Certificate (CP) and the Certification Practice Statement (CPS)?

A Certification Practice Statement (CPS) is a document that specifies the practices that a Certificate Authority (CA) employs to issue certificates on its public key infrastructure (PKI).

In general, a public key certificate – or simply a certificate – establishes a relationship between an entity's public key (either a person, an organization or, in the case of RPKI, a numbering resource) and a set of data that identifies said entity (names, telephone numbers, IP addresses or autonomous systems). This entity is usually known as the "subject" of the certificate.

A certificate "user" is another entity that needs to use the data and public key specified in a certificate. The certificate user trusts the veracity of the relationship described by the certificate. These certificates are most commonly used for verifying digital signatures.

A CPS is not, of itself, a contract, but it is of fundamental importance as it provides a baseline for auditing a Certificate Authority's management procedures.

A CPS must contain detailed information on:

The procedures used to issue certificates, including the procedures followed to verify the relationship between an entity and its public key. In the case of RPKI, this refers to how the authority to use certain IP address resource is verified.

The detailed life cycle of the certificates that are issued, i.e. how to request a certificate, how the certificate is issued, its expiration date, how it is renewed, as well as how and why it may be cancelled.

Technical aspects such as a detailed description of the facilities, physical access controls, operational roles, separation of responsibilities, and the auditing controls to be implemented.

Technical aspects relating to the generation of cryptographic material and private key management.

Generally speaking, a Certificate Policy (CP) covers the same topics as a CPS but does so from a more abstract, less operational point of view. For example, in the case of physical access control, a CP may state that "Biometric fingerprint access control shall be implemented for all personnel".

On the other hand, a CPS contains strictly operational details such as, for example, which access control equipment will be installed or what algorithms will be used to protect a key. Continuing with the preceding example, the CPS must specify which biometric access control equipment provider will be used and how the personnel's fingerprints will be taken.

Because they are policy and minimum specification documents, a CP is often shared by various CAs and may therefore be important when seeking interoperability among different CAs. A CPS, however, is specific to one CA.

Current status of the CPS for LACNIC's RPKI

LACNIC is currently working on preparing the CPS for the RPKI Certificate Authority. This document is well advanced and a draft version is already available.

The community's trust in the certificates issued by LACNIC's RPKI Certificate Authority is essential for certificates to begin being used to validate the use of resources. This trust is largely related to the community's opinion on the aspects detailed in the CPS, which is why LACNIC encourages the community to provide their opinions, comments and general feedback on the document.